Data Processing Agreement

Last updated: December 19, 2025

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"):

  • "Controller" means you, the customer, who determines the purposes and means of processing personal data
  • "Processor" means AniltX, which processes personal data on behalf of the Controller
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on personal data (collection, storage, use, disclosure, deletion)
  • "Data Subject" means the individual whose personal data is being processed
  • "Sub-processor" means any third party engaged by AniltX to process personal data
  • "Services" means the AniltX visitor intelligence platform and related services

2. Scope and Purpose

This DPA applies when AniltX processes personal data on your behalf through our visitor intelligence platform. The purpose of processing includes:

  • Visitor identification via device fingerprinting
  • Behavioral analytics and session recording
  • IP intelligence and geolocation
  • B2B contact and company enrichment
  • Heatmap and funnel analytics
  • Lead scoring and qualification

3. Data Processing Details

Categories of Data Subjects

  • Visitors to your website(s)
  • Your customers and prospective customers
  • Business contacts identified through enrichment

Types of Personal Data

  • Device identifiers and fingerprints
  • IP addresses
  • Geolocation data (country, region, city)
  • Browsing behavior (page views, clicks, scroll depth)
  • Session recordings
  • Business contact information (name, email, title, company) from enrichment providers

Duration of Processing

Personal data is retained for 90 days by default, unless you request extended retention for specific records or export data before automatic deletion.

4. Security Measures

AniltX implements appropriate technical and organizational measures to protect personal data:

  • Encryption: TLS/SSL for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access, multi-factor authentication for admin accounts
  • Infrastructure: Hosted on SOC 2 compliant providers (Supabase/AWS)
  • Monitoring: Real-time security monitoring and alerting
  • Backup: Automated daily backups with encrypted offsite storage
  • Incident Response: Documented procedures for security incidents
  • Employee Training: Security awareness training for all personnel

5. Sub-processors

AniltX uses the following sub-processors to provide our services:

  • Supabase Inc. (USA) - Database hosting, authentication
  • IPInfo.io (USA) - IP intelligence and geolocation
  • Apollo.io (USA) - B2B contact enrichment
  • Square Inc. (USA) - Payment processing
  • Amazon Web Services (USA) - Cloud infrastructure

We will notify you of any changes to sub-processors with at least 30 days notice before engaging new sub-processors.

6. Data Subject Rights

AniltX will assist you in responding to data subject requests, including:

  • Access: Provide copies of personal data upon request
  • Rectification: Correct inaccurate personal data
  • Erasure: Delete personal data ("right to be forgotten")
  • Portability: Export personal data in a machine-readable format
  • Restriction: Limit processing of personal data
  • Objection: Stop processing based on legitimate interests

We will respond to data subject requests within 30 days. For urgent requests, contact privacy@aniltx.ai.

7. Data Breach Notification

In the event of a personal data breach, AniltX will:

  • Notify you within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories of data affected, and approximate number of data subjects
  • Describe likely consequences and measures taken to address the breach
  • Assist you in notifying supervisory authorities and data subjects as required by law

8. Data Retention

Personal data retention periods:

  • Visitor data: 90 days (default), extendable upon request
  • Session recordings: 90 days
  • Account data: Duration of subscription plus 30 days
  • Billing records: 7 years (legal requirement)

Upon termination of services, we will delete or return all personal data within 30 days, unless legally required to retain.

9. International Transfers

Personal data may be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary measures as required by applicable data protection laws

10. Audits and Compliance

Upon reasonable request, AniltX will:

  • Provide documentation of security measures and compliance certifications
  • Allow audits by you or a third-party auditor (with reasonable notice and confidentiality protections)
  • Cooperate with supervisory authority investigations

11. Termination

Upon termination of the Services:

  • AniltX will cease processing personal data within 24 hours
  • You may export your data via the dashboard or API within 30 days
  • All personal data will be deleted within 30 days of termination
  • Certification of deletion available upon request

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the main Services Agreement. AniltX is liable for damages caused by processing that violates applicable data protection laws or this DPA.

13. Contact Information

For DPA-related inquiries:

Data Protection Contact: privacy@aniltx.ai

Legal Department: legal@aniltx.ai

Or visit our contact page.